How Secure Is Your Employee Information?

All recruiting and hire platforms store data that is considered to be something called PII, “Personally Identifiable Information,” or information that can be used on its own or with other information to identify, contact, or locate a single person. It is information that can be used to distinguish or trace an individual’s identity — such as name, social security number, date and place of birth, mother’s maiden name, or biometric records — or any other information that is linked or linkable to an individual; medical, educational, financial, and employment information , all constitute PII.

Personally Identifiable Information (PII) is the most valuable information in the worldwide network of cybercrime. PII records generally sell for around $50/record on the black market, as opposed to around $5 for payment account number (PAN) or bank account data.

While a stolen PAN can be cancelled, social security numbers can’t be changed, and an individual’s PII is permanently attached to that person’s identity.

The last several years have witnessed a dramatic shift in cybercrime targeting, as criminals move away from individual consumers and focus instead on enterprise opportunities and targeting systems that store large amounts of PII. With recent security breaches like the October DDoS attacks and Target’s infamous credit card hack making front-page news, companies know they have to take precautions to ensure that their data is safe. As a result, many companies are very particular about the security of their payment processing and domain name systems — and for good reason.

But when companies are hyper focused on only those areas, it can lead to tunnel vision. In particular, there’s one area that is a goldmine of personally identifiable information that often gets overlooked — HR technology.  like applicant tracking systems (ATS) and human resource information systems (HRIS).

Shared responsibility

All services and applications that are hosted in the cloud (SaaS based applications) effectively have the same security infrastructure, something commonly referred to as the ‘shared responsibility model.’

Most cloud-based ATS and HRIS vendors offer physical data center and hardware security, which means that the host, such as Amazon Web Services, agrees to protect the hardware on which the information is stored and the data center in which the hardware resides. But while this protects the vendor from physical risks like data center failure and break-ins, they’re still vulnerable to cyber attacks.

Platform, application, and data security

Some HRIS and ATS vendors do, however, go a step further. The next level beyond host provided security is platform, application, and data security, which indicates that the vendor has taken it upon themselves to monitor, securely develop their application, and encrypt your data. Ultimately, this protects against malicious traffic, brute force attempts, malware, and other dangers.

Any vendor who is relying on the cloud provider to provide security is securing only about 25% of the threat landscape, leaving many opportunities for application attack, vulnerability exposure, and data theft.

Article Continues Below

 Is your vendor secure?

Before you choose an ATS or HRIS — or even if you already have one — you’ll want to ask your vendor a couple of questions:

  • Where are you hosted?If they’re hosted in the cloud, as the majority of SaaS platforms are, then they likely need to take additional steps to achieve app-level security.
  • Do you or your provider have any certifications?It’s easy for someone to just say they’ll protect your data, but certifications indicate that an independent auditor has deemed them credible. If you’re based in the US, then ask specifically about SOC2 certification (for your vendor not the hosting provider), and if you operate in Europe, ask about Privacy Shield compliance.

If your vendor fails to provide proof of their security or evades your questions, then it’s time to seriously weigh whether your current experience with them is worth the risk.

It may be a challenge to find an ATS/HRIS that meets these qualifications, but it’s well worth it. Not only does it help guarantee that private information stays private — it also helps speed the IT approval process along much faster. So if you’re serious about protecting your employee and candidate PII, think proactive, not reactive, and talk to your ATS/HRIS vendor now. Your PR and legal teams will thank you —  as will your employees.

Kimberley Smathers

Kimberley Smathers, is the the director of information security and compliance at Jobvite. She is a dedicated technology professional with a background in developing, managing, and monitoring risk and compliance frameworks for cloud based enterprise operations. At Jobvite, she is responsible for developing and driving the short and long term operations, security, and technical delivery strategies.